[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Savannah-users] password must be more complicated

From: Bruce Korb
Subject: Re: [Savannah-users] password must be more complicated
Date: Thu, 09 May 2013 07:53:19 -0700
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/20130329 Thunderbird/17.0.5

Hi Bob,

On 05/07/13 00:48, Bob Proulx wrote:
Bruce Korb wrote:
Now that passwords are a teeny tad more of a nuisance,

The change posted should make them easier to use not harder to use.

OK, a tad easier but still a nuisance in the grand scheme of things.
Were there only one web site to worry about, one could make a
password as arbitrarily difficult as one wanted to make it and
still be able to cope.  The problem is that I visit lots of different
web sites that have lots of different requirements about user names
and passwords.  Even worse, the password requirements conflict.
One web site (thankfully only one) requires digits only.

The solution I cooked up is not about just one web site, regardless
of how friendly you've made it.  (I do think it is better than any
other site I know of, but it is still beside the point.)

The problem statement:

  How do you remember many login credentials without recording them?

You can make the credential records more difficult by using a
password manager, but that database has to be stored somewhere.
And you have to have access to it to access login credentials.
That makes it a nuisance.  The best solution I've seen is a
shared secret encryption database kept "in the cloud".

I wanted a secure database secured in a way that I don't care
if someone gets ahold of it and even manages to obtain one
valid password.  I have accomplished this, I believe. You must
remember a "password id" (e.g. a domain name and some prefix
and/or suffix) and that id and a password "seed" get sha256
hashed into random letters, digits and special characters,
trimmed to a maximum length and then fiddled based on
character classification requirements.  To change the password,
I add a new seed.  Done.  The only thing to remember are the
password ids.  Those are trivial, but nowhere recorded.

$ mypw bogus

seed-tag     bogus pw:
first        4W4cnDvA+xDjWOEJ
second       g6Sb5UNeTMvpd45n
$ mypw -l 40 -t bogus-name bogus

seed-tag     bogus-tag: bogus-name   pw:
first        4W4cnDvA+xDjWOEJw/bC+NAdZ0Q4dBQA4P9XEU9U
second       g6Sb5UNeTMvpd45nuVPHPTjZ56ooOsvTsSixvmbC
$ mypw bogus

seed-tag     bogus-tag: 'bogus-name'   pw:
first        4W4cnDvA+xDjWOEJw/bC+NAdZ0Q4dBQA4P9XEU9U
second       g6Sb5UNeTMvpd45nuVPHPTjZ56ooOsvTsSixvmbC

The password to use depends on whether the bogus site is still on
the first password or has been updated to the second.  You do
need to remember that, too.  The old seeds get removed when you
are sure you're done with them.  My real current seed tag
is "May 2013".

Oh, you can reproduce the above results with this ~/.local/mypw.cfg
file if you are curious:

  <text>the first text seed</text>

  <text>some more text</text>

reply via email to

[Prev in Thread] Current Thread [Next in Thread]